1. Technical Field
The invention is related to a system and method that encodes and decodes data. More particularly, this invention is related to a system and method for encoding and/or decoding media data in order to efficiently traverse firewalls that protect a computer network.
2. Related Art
A firewall is a security system intended to protect an organization's computer network against external threats, such as hackers, coming from another network, such as the Internet. A firewall prevents computers in the organization's network from communicating directly with computers external to the network and vice versa. Instead, all communication is routed through a proxy server outside of the organization's network, and the proxy server decides whether it is safe to let a particular message or file pass through to the organization's network.
A typical corporate network, or similar network, employs an external firewall, a Demilitarized Zone (DMZ) and an internal firewall. The DMZ consists of one or more servers deployed in a network that typically have a public interface which is used by clients in the Internet to access a service, and a private interface which is used by the one or more servers to access resources in the corporate network, also referred to as the internal network. An internal firewall is a firewall deployed at the inner edge of a corporation's network. This firewall prevents access of computers in the DMZ to sensitive information/resources in the corporate network. The public interface is protected by the external firewall and the internal firewall prevents traffic from the internal interface to enter the corporate network.
Server machines placed in the DMZ have very limited access to computers in the internal network. For security reasons, on the internal firewall, network administrators allow outbound Transmission Control Protocol (TCP) connections (from inside the internal network to the outside) and possibly allow opening User Datagram Protocol (UDP) ports. For an external firewall only a limited number of ports are allowed to be opened.
Media packets are typically transferred across the Internet using Real-time Transport Protocol (RTP). RTP provides end-to-end network transport functions suitable for applications transmitting real-time data such as audio, video or simulation data, over multicast or unicast network services. The data transport is augmented by a Real-Time Control Protocol (RTCP) to allow monitoring of the data delivery in a manner scalable to large multicast networks, and to provide minimal control and identification functionality. RTP and RTCP are designed to be independent of the underlying transport and network layers.
Sending media (e.g., audio/video) across firewalls via RTP typically requires opening up multiple ports, called UDP ports, in the external firewall. This is so because RTP (Real Time Protocol, RFC 1889), which is the protocol used to carry media packets over an IP network, requires a separate UDP receive port for each media source. That is, each client receiving media data requires its own UDP receive port in the external firewall. Opening up multiple media ports in the external firewall is something that network administrators are not comfortable doing as it presents a security vulnerability.
To provide secure transmission of media packets over the Internet using Internet Protocol (IP), a client (sender) typically encrypts the packets before transmission to provide confidentiality and integrity. Security at the DMZ is of utmost importance since the servers in the DMZ have an interface in the public network, i.e., with an IP address routable over the public IP Internet. This opens the servers in the DMZ up to attacks from any malicious computer user on the Internet. The attacks can be of various types, such as, for example, a Man-in-the-middle attack (when an attacker is able to intercept traffic by placing themselves in the middle of the conversation) or a Denial of Service attack (any attack used to achieve the disruption of any service to legitimate users). A server called a media-relay server is one of the servers deployed in the DMZ of a corporate or other network. This media-relay server receives media traffic from external clients (clients in the public internet or clients in a different network) and, after enforcing security, relays the traffic to clients inside the corporate network. The media-relay server maintains a Security Association (SA) for each corporate client behind it that it may relay media packets to. The SA for each client includes the encryption keys used to decrypt the packets. The SA is established during the dialog setup between the sending and receiving clients. Messages in the dialog traverse through the Media-Relay server in the signaling path when the dialog is being setup between the clients. It is assumed that the information exchanged to setup the SA in the signaling path is secure.
Two UDP ports (one each for RTP and RTCP as described in RFC 1889) are typically opened in the external firewall for each client receiving media data. Therefore, a variable number of ports must be opened based in the external firewall based on the number of clients connecting. Presently, a SA for each client is associated with the UDP ports for that client. This SA is used to decrypt the packet as explained in the previous paragraph via conventional methods. As a result, if only a fixed small number of UDP ports are allowed to be opened on the external firewall, regardless of the number of actual clients trying to receive media data across it, there is no way to associate the packets arriving at the UDP ports to a given client. A mechanism is required at the server to retrieve the SA of the client to which the media traffic is supposed to be forwarded. In order to limit the number of open ports on the external firewall, a different mechanism than is presently available is required.
Therefore, what is needed is a system and method for allowing data to traverse a firewall using only a small fixed number of open media ports (e.g., UDP ports) on the external firewall, regardless of how large the number of actual clients is that are attempting to receive media data through the firewall.